Singapore Common Criteria Scheme

Launched by Prime Minister Lee Hsien Loong at the Singapore International Cyber Week in 2016, Singapore’s Cybersecurity Strategy outlines how we will strengthen the resilience of Singapore’s cybersecurity. The Strategy is underpinned by four pillars , namely Building a Resilient Infrastructure; Creating a Safer Cyberspace; Developing a Vibrant Cybersecurity Ecosystem; and Strengthening International Partnerships.

To ensure a resilient infrastructure, cybersecurity must be an important consideration when companies design their systems and networks. Establishing cybersecurity measures early will benefit companies by protecting them from the reputational and financial risks posed by cyber threats. This Security-by-Design approach is more cost-effective than trying to implement measures after systems have been already designed and put in place. Product assurance, whereby products are evaluated and certified based on international standards such as Common Criteria (CC), is part of the Security-by-Design approach to reduce attack surface.

About the Common Criteria

The genesis of CC was developed through a collaboration among national security and standards organisations in Canada, France, Germany, the Netherlands, the United Kingdom and the United States as a common standard to replace their existing security evaluation criteria.

The CC is now recognised as the ISO/IEC 15408.The CC is adopted by members of the Common Criteria Recognition Arrangement (CCRA) in order to facilitate mutual recognition of evaluation and certification results. As a result, consumers can benefit from having a wider choice of CC certified IT products, and developers will benefit from having greater access to markets and understanding of the security requirements (described in the form of collaborative Protection Profiles). The CC harmonises the evaluation of IT products by defining a common set of security functions which product developers use to establish the security requirements of their IT products in a standardised language. The Common Methodology for IT Security Evaluation (CEM) (ISO/IEC 18045) is used for evaluating the product against the established security requirements, confirming that the product is capable of meeting these requirements with an appropriate level of assurance.

The Singapore Common Criteria Scheme (SCCS) is established to provide a cost effective regime for the info-communications industry to evaluate and certify their IT products against the CC standard in Singapore. The SCCS is owned and managed by the Cyber Security Agency of Singapore (CSA).

claim conformance to a National Protection Profile published by CSA; or

claim conformance to a Protection Profile endorsed/approved by CSA.

*Note: Products not claiming conformance to the above (i.e. ST only evaluations) may be accepted on a case-by-case basis. Please contact CSA for further guidance.

Common Criteria Users Forum (CCUF)

The CCUF (http://ccusersforum.org) provides a platform for discussion amongst the CC community. CSA strongly encourages parties who are interested in Common Criteria to sign up and participate in the discussions.